Stop Blaming Users and Get Serious About Your IAM Practices

As the world continues to transform itself digitally, we users are constantly working with new technologies. We’re also using more technologies at once, in more places. Sometimes even before our first cup of coffee.

All of this ultimately leaves us more susceptible to making costly mistakes. Technology has proven over and over again that it evolves much more quickly than users’ ability to adjust. As a result, opportunities for error increase regularly and exponentially.

Today if a hacker knows someone’s email address or password, there’s a chance they can get into a bank account, an insurance account, LinkedIn, Salesforce, everything. And hackers have grown so sophisticated in their phishing attacks that even the most knowledgeable users — the very CISOs and security professionals who may be reading this article — can be duped into taking the bait.

So how is it that we can expect a higher level of sophistication from other users? Why do we continue to pin accountability for high-profile attacks on the user, when the security community hasn’t shifted its focus to where the risks are?

Responsibility must lie on the security community to understand the risks this ever-evolving landscape imposes on users, and to mitigate those risks by building more intelligent systems. We have to realize the promise of identity and access management (IAM), and become as comfortable protecting identities as we are protecting the network.

These days the app is the new perimeter, and identity is the key to that perimeter. But real IAM goes well beyond identity. CISOs need to be thinking about directory stores and policy engines that correlate to each user and the information they’re accessing.

We’re seeing this kind of approach with some cloud access security brokers who are escalating authentication protocols based on the sensitivity of fields in an app. A user may log on with 98 percent access, but as soon as they touch a field with sensitive data behind it, the solution invokes multifactor authentication.

This allows the organization to get much more granular about who can access what. It’s a good example of implementing controls to compensate for the fact that, with cloud computing, users can access high-impact business data from anywhere in the world.

Another example is the type of malware protection being offered by modern endpoint protection platforms. The industry has long understood that much of the malware being thrown at users requires root/admin access, and today we know that root access gives malware authors more control over an infected device. By blocking root access to apps that lack preauthorization from the IT department, these types of solutions significantly reduce the risks involved with user mistakes.

And ultimately that’s what this shift is all about — mitigating that risk. The community has been focused on securing data, but the root cause of data breaches is often the risk associated with IAM.

None of this is to say that user awareness isn’t important. Everyone in the organization is still on the hook for their annual security training, and training should also be offered any time a new technology or access point is introduced.

But if we accept that even the most sophisticated users make mistakes, then the focus becomes mitigating the risk involved with those mistakes, and implementing appropriate controls based on the value of the data and the application.

Here the onus isn’t on users. It’s on the IT security organization. Each time new tech functionality is introduced, IT is responsible to understand whether that functionality will introduce new risk. We need to stop the cycle of continuing to give users new functionality and new forms of access and then just blaming them whenever something goes wrong.

Given the increasing complexity of today’s technology landscape, security is unmanageable without this shift in approach. Taking a deeper look at IAM is becoming the critical piece to protecting those keys to the network perimeter, so if and when a user does lose one, the gateway stays locked.

Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.